httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <>
Subject Re: Security tips and dictionary attacks with UserDir
Date Thu, 29 Jan 2004 00:07:20 GMT
On Wed, 28 Jan 2004, Paul D. Robertson wrote:

> >> UserDir disabled
> >> UserDir enabled probertson test foo
> >> UserDir public_html
> >> 
> >> This will stop Apache from disclosing which user-ids exist on a system,
> >> which attackers may use to figure out hidden, administrative or temporary
> >> ids which might be exploited by other non-Apache attack vectors, such as FTP
> >> or SSH.
> >> 
> >> =========end==========
> > 
> > Thanks. This is a good additional remark. Linking to this from the
> > security doc (or the other way around) might be good. I think the
> > security doc may already mention this.
> >
> I didn't see a mention (unless there's a different document than
> security_tips that I missed?) so I'd be happy if it got added to the
> security doc.  I wrote it up internally due to the release of a tool which
> takes advantage of this being in the wild, but the less compromised machines
> there are out there, the better.

Oops. No. It's the public_html document that has this mentioned.

> Should diffs come to this list, or elsewhere?

Difs to the list is fine. 

> > On a related not, I'd like to discuss whether we want to have UserDir
> > disabled by default.
> > Pros) Improved default security
> > Cons) Increased tech support questions about enabling this feature
> Given Apache's penetration into the corporate server space, I'd bet that
> less than 5% of servers rely on userdir (ISPs and geek colo boxes mostly)-
> so I'd bet that the fall-out wouldn't be huge (mostly folks who know how to
> turn it back on.)  But 5% of the Apache install base is a big number- if the
> original statements were commented out in the default config, the hurdle
> wouldn't be that high for the semi-clued.

I expect that the statistics are rather less skewed than this, but I
have no actual statistical support for this belief.

When we are young, wandering the face of the earth,
wondering what our dreams might be worth,
learning that we're only immortal for a limited time.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message